The following script appears to crash any webkit based browser when provided by an HTML file or delivered via a XSS etc. Additional abstract behaviour can be observed by placing a large HTML payload after the body tag. --- begin script --- document.writeln(window.document.body.innerHTML); -- end script -- --- begin html file --- <body> AAAAAAAA <script> document.writeln(window.document.body.innerHTML);</script> </body> --- end html file ---
<rdar://problem/5888128>
Reproducible crash -> P1.
This appears to have the same root cause as https://bugs.webkit.org/show_bug.cgi?id=15123 - there is no recursion check in WebCore::Document::write( ). I'll have a patch for 15123 soon, suggest marking this bug as duplicate.
This bug is closed by http://trac.webkit.org/changeset/77333
*** This bug has been marked as a duplicate of bug 15123 ***